Skip to main content

Anyone having issues attempting to update Big Sur devices via Policy and using Apple's Software Update server? The policy is not working for Big Sur including intel machines. Attempting to get the latest update (20D74).



With the terminal open, it states it downloads. It shows as completed in Jamf within the policy. Also within client history. Yet reboot does not install the update.



Mojave and Catalina devices update fine.

Still looking for a way to run Apple Security Updates now version 11.5 on computers with no user intervention? Running Jamf Pro Version 10.30 nothing working Softwareupdate -i -a -R says is works, but downloads and nothing happens. Any workarounds, why is Jamf not resolving this issue, its been months?


Still looking for a way to run Apple Security Updates now version 11.5 on computers with no user intervention? Running Jamf Pro Version 10.30 nothing working Softwareupdate -i -a -R says is works, but downloads and nothing happens. Any workarounds, why is Jamf not resolving this issue, its been months?


We began prepping our lifecycle replacements in earnest over the last two weeks, and I have become keenly aware of this problem.  The Management Command method of running updates is unreliable at best, and having to do so one machine at a time is not reasonable.  The ability to schedule updates (not just manually initiate them via a mass action) needs to be a priority.


I have been trying Nudge.  As we need to provide some info to end user before we move with an update.  Still in testing phase for us.

https://community.jamf.com/t5/jamf-pro/nudge-macos-updates/m-p/243467#M228760

 

 


I ran an update via policy yesterday, and it downloaded and prompted me to reboot. After entering my non-admin user account password, machine rebooted and installed 11.2.2.



Hi Sir

I'm new to jamf could you please share your workflow how you done it

 

 

 


Hi Sir

I'm new to jamf could you please share your workflow how you done it

 

 

 


The issue is that there used to be a great work flow in Jamf Pro for running Apple Security updates 

Policies

Payload: Software Updates

Install from Apple Software Update Server

This worked great up until about 6 months ago! The issue is with Intel based iMacs running mac OS 11 Big Sur. Now this Policy no longer works. Apple's response is that they are not an enterprise solution and that is why you pay for an MDM like Jamf Pro. It is there issue. 

Apple is requiring a manual reboot on M1 Apple Silicon Macs and that we know, but I am still just trying to update Intel based iMacs which are requiring a manual reboot like the M1s so obviously there's a disconnect between Intel and M1s in Jamf Pro. 

Tried a dozen scenarios and this is the latest, the issue is it will download the Apple update, but I have to log in to each iMac and click Restart which is a bit challenging when you have hundreds. 

Latest Policy:

Just Files & Processes: softwareupdate -iaR --force

I got this to work on one Intel iMac and that gave me hope, but it is not working. Same issue will not Restart automatically.


"InstallForceRestart" results in the same error. I have posted my script here, maybe someone can shed some light on what I am missing.



#!/bin/sh

#API login info
apiuser="Temp User"
apipass="Temp Password"
jamfProURL="https://ORG.jamfcloud.com"

#Grab serial number, OS Version of computer and CPU Type
SerialNumber=$(system_profiler SPHardwareDataType | grep 'Serial Number (system)' | awk '{print $NF}')
macOSVersion=$(sw_vers -productVersion)
arch=$( /usr/bin/arch )

#Check macOS Major
CheckIt=$(echo $macOSVersion | cut -d . -f 1)

#Set xpath option based on macOS major version
if [[ "$CheckIt" == "11" ]]
then
xpath="xpath -e"
else
xpath="xpath"
fi

function scheduleOSUpdateViaAPI() {

#Grab the computers JSS ID
jamfProCompID=$( /usr/bin/curl -s -u ${apiuser}:${apipass} ${jamfProURL}/JSSResource/computers/serialnumber/${SerialNumber}/subset/general | $xpath "/computer/general/id/text()" )

#Initiate the InstallForceRestart key (Download and install the update, and restart computers after installation), To allow for updates without user interaction on target computers with Apple silicon, Bootstrap Token for the computers must be escrowed with Jamf Pro.
/usr/bin/curl -s -X POST -H "Content-Type: text/xml" -u ${apiuser}:${apipass} ${jamfProURL}/JSSResource/computercommands/command/ScheduleOSUpdate/action/InstallForceRestart/id/${jamfProCompID}

}

if [[ "$arch" == "arm64" ]]; then
scheduleOSUpdateViaAPI
else
/usr/sbin/softwareupdate --install --all --include-config-data --restart --force
fi

exit 0


from my testing, that API call AND from the GUI does nothing to the m1 air and mac mini I have.  They dont restart or install the updates at any point 😞


Sorry for the delay. My Files & Processes payload is simply:



softwareupdate -i -a -R


However, it doesn't seem to work after 11.2.3 (attempting to install 11.3) so I'm back to square one.



Does this notify the user that they're machine is restarting or does it run silently in the background?


Does this notify the user that they're machine is restarting or does it run silently in the background?


We use the same process and notify the user via the policy.  It's simple but we've had a lot of issues with Macs consistently updating.  I cannot get it to work on M1's either


I think the only way I can get this to work in a policy is by using a script with an API script similar to the script @nelsoni posted above.



Otherwrise the only option is manually pushing an 'InstallForceRestart' command using a mass action which is not scaleable. The other issue is what gets installed with this command when there are multiple updates pending. That's not documented and appears to be the luck of the draw.



not sure if it works for you, but the API command on a 11.3.1 M1 mac mini does not work, neither does GUI, even with the new RC Jamf vers


@jtrant , No improvement.. The InstallASAP key doesn't immediately restart the device.. And of course shutdown -r is only restarting but the update isn't being applied....



This is my attempt to update from 11.3.1 to 11.4
Edit.. As I'm sitting here typing.. It just rebooted out of nowhere using the Install key, and installed the update.. Lovely



what command was this?

the softwareupdate one?

lastly, was this for minor or major? IIRC minor works without creds along with safari or what not, but its the majors that cause problems, but i could be mistaken


I have been trying Nudge.  As we need to provide some info to end user before we move with an update.  Still in testing phase for us.

https://community.jamf.com/t5/jamf-pro/nudge-macos-updates/m-p/243467#M228760

 

 


How is Nudge working out for you? We are reluctant to add another agent on a device for running updates. So far one of our techs is messaging people directly.  It seems to work better than 2 communication emails.  We don't have 100s of Macs yet and only about 51 people were on 11.5.1 or less but all on Big Sur.


Still looking for a way to run Apple Security Updates now version 11.5 on computers with no user intervention? Running Jamf Pro Version 10.30 nothing working Softwareupdate -i -a -R says is works, but downloads and nothing happens. Any workarounds, why is Jamf not resolving this issue, its been months?


I have tried using softwareupdate -i -a -R and User Interaction with some success, but still not good enough.  The issue is the user is not notified a reboot will occur (even after adding in the Reboot Policy) . Once the update is downloaded the device just reboots. The download is really slow (as mentioned elsewhere  here) and end users are not sure if it is actually working.  
This leads into another issue.  The time is UTC time which is challenging when you are dealing with Macs on a global scale.

I then resorted to this Babodee.   It took me a long time to understand what it does and had various results.  Perhaps it was the VM not working liking the updates and snap shot restoring.  I am still struggling with Big Sur Updates (from 11.2.3, 11.3.x and 11.4) and snuggling to understand the how to configure the script.

It really has been a challenge trying to find a method which allows the users to defer for 48hrs then its forced...and work consistently. 

Mass emails asking users to update has work little bit.  I now have a Jamf Notification Message which appears on users devices 1x per day informing them to update their machine.

Finally, one of our techs is messaging people directly telling them to update (50 or so)  This method, although manual and slow is having the biggest affect.

Let's hope Monterey resolves updating.


@beeboo , I run my script prior to running @nelsoni script he posted above.. I am using the Install key in the API script. I'm only using the API script for macOS Big Sur(Intel/M1).. My script kicks off the -policy event that calls the API script based upon a user's selection to Delay or Install Now.. The only edit I made to his script was encrypt the api password..



#!/bin/sh

#############################################################################################
# - The purpose of this script is to allow softwareUpdates for macOS Big Sur on Intel/M1's
# - This script will resolve the need for user input during software updates
# - The password will be Encrypted for security reasons
#
# - Created by: Ian Nelson
# - Modified: DeWon Farris 6/3/2020
# - Version: 1.1 #Encrypted API password
#############################################################################################

# Decrypt the API password
function DecryptString() {
echo "${1}" | /usr/bin/openssl enc -aes256 -d -a -A -S "${2}" -k "${3}"
}

#API login info
apiuser="APIUser"
apipass=$(DecryptString $4 'string.goes.here' 'key.goes.here')
jamfProURL="https://company.url.here"

#Grab serial number and OS Version of computer
SerialNumber=$(system_profiler SPHardwareDataType | grep 'Serial Number (system)' | awk '{print $NF}')
macOSVersion=$(sw_vers -productVersion)

#Check macOS Major
CheckIt=$(echo $macOSVersion | cut -d . -f 1)

#Set xpath option based on macOS major version
if [[ "$CheckIt" == "11" ]]
then
xpath="xpath -e"
else
xpath="xpath"
fi

## Curl API to get to install software Updates ASPAP after user chooses to delay or install now
jamfProCompID=$( /usr/bin/curl -s -u ${apiuser}:${apipass} ${jamfProURL}/JSSResource/computers/serialnumber/${SerialNumber}/subset/general | $xpath "/computer/general/id/text()" )
echo $jamfProCompID
/usr/bin/curl -s -X POST -H "Content-Type: text/xml" -u ${apiuser}:${apipass} ${jamfProURL}/JSSResource/computercommands/command/ScheduleOSUpdate/action/installASAP/id/${jamfProCompID}


exit 0


is this with the latest version of Jamf? i think 10.32 or whatnot?

I tested the GUI iteration of this when i was RC'ing 10.32 and it worked, but it ended up rebooting at an undetermined time, thus out of the control of the user and myself.

Also couldnt do a schedule or anything, it just ran it as a management task.

Lastly it didnt give me any options aside from I think the type of update, like all or some aspects of the available updates (gotta double this part).

Based on that testing scheme, I dont have a reliable way to allow a user to get the update and reboot without a random interruption. I think the API would work the same or at least similarly to the GUI, but I am still left to the mercy of "random" reboot.


so this works, tested on Big Sur M1 machines

 

https://{{url}}/JSSResource/computercommands/command/ScheduleOSUpdate/action/install/id/:id

and while the command respects comma seperated values, anyone know how to get the information from an array to then do a one liner with commas using bash?

 

example: https://{{url}}/JSSResource/computercommands/command/ScheduleOSUpdate/action/install/id/9,100,92,1,500


I'm trying to implement this into my environment, and it seems to be working, but we always get an administrative pop up that reads "SoftwareUpdateNotificationManager is trying to install Apple software," so there is still a requisite user interaction.

Does anyone know what this is and how to pre-approve/skip/suppress this? It's driving me crazy!


so this works, tested on Big Sur M1 machines

 

https://{{url}}/JSSResource/computercommands/command/ScheduleOSUpdate/action/install/id/:id

and while the command respects comma seperated values, anyone know how to get the information from an array to then do a one liner with commas using bash?

 

example: https://{{url}}/JSSResource/computercommands/command/ScheduleOSUpdate/action/install/id/9,100,92,1,500


Sorry I am an idiot. What does an idiot like me do with this info. How is this invoked? Is this all the info needed or does it fit someplace in a script? Step by step would be very helpful.


Sorry I am an idiot. What does an idiot like me do with this info. How is this invoked? Is this all the info needed or does it fit someplace in a script? Step by step would be very helpful.


@TSOAFTVPPC the steps are a little spread out, but all the info you need for this to kick it off (successfully or otherwise) is here in this thread - feel free to look at my other entries in this post to get a better idea.

 

1. i run the command in postman as a test, but you can script it if you want

2. replace URL variable with your instance

3. the numbers after "/id/" are the computer ids of the machines you want to target. mine are out of date big sur machines only

4. not included here but something you need to look into is adding credentials to postman, but you can choose basic auth or token, or anything that you have access to really.


I'm trying to implement this into my environment, and it seems to be working, but we always get an administrative pop up that reads "SoftwareUpdateNotificationManager is trying to install Apple software," so there is still a requisite user interaction.

Does anyone know what this is and how to pre-approve/skip/suppress this? It's driving me crazy!


does it actually require interaction or is it more of a notification prompt?

if you can share a screenshot thatd be awesome.


I have tried using softwareupdate -i -a -R and User Interaction with some success, but still not good enough.  The issue is the user is not notified a reboot will occur (even after adding in the Reboot Policy) . Once the update is downloaded the device just reboots. The download is really slow (as mentioned elsewhere  here) and end users are not sure if it is actually working.  
This leads into another issue.  The time is UTC time which is challenging when you are dealing with Macs on a global scale.

I then resorted to this Babodee.   It took me a long time to understand what it does and had various results.  Perhaps it was the VM not working liking the updates and snap shot restoring.  I am still struggling with Big Sur Updates (from 11.2.3, 11.3.x and 11.4) and snuggling to understand the how to configure the script.

It really has been a challenge trying to find a method which allows the users to defer for 48hrs then its forced...and work consistently. 

Mass emails asking users to update has work little bit.  I now have a Jamf Notification Message which appears on users devices 1x per day informing them to update their machine.

Finally, one of our techs is messaging people directly telling them to update (50 or so)  This method, although manual and slow is having the biggest affect.

Let's hope Monterey resolves updating.


What I am doing is running that command in File and Processes in a policy that is set to a smart group that lists if any machine has an update available. I also have it under the user interaction tab set for a 7 day duration with some basic information under the start message field. Basically stating if they fail to install the update before the allotted time their machine will restart with no warning.

 

This does pop up a management action window stating the machine has an update and allows them to defer until that 7 day period is reached. If they fail to update before then their machine will update and reboot with our warning. Although still not the best does give the user at least a little heads up.

 

From I have read apple wants to make it even harder by forcing the use of mass action commands. So all machines that meet a set criteria Admins push a button that forces all machines to download/install any update and force reboot the machine with no warning at all.


so this works, tested on Big Sur M1 machines

 

https://{{url}}/JSSResource/computercommands/command/ScheduleOSUpdate/action/install/id/:id

and while the command respects comma seperated values, anyone know how to get the information from an array to then do a one liner with commas using bash?

 

example: https://{{url}}/JSSResource/computercommands/command/ScheduleOSUpdate/action/install/id/9,100,92,1,500


To use bash variables inside a curl URL, enclose the variable with curly braces: ${variable}

url="jamf.acme.com"
curl -sS "https://${url}/JSSResource/computercommands/command/ScheduleOSUpdate/action/install/id/9,100,92,1,500"

 


I'm trying to implement this into my environment, and it seems to be working, but we always get an administrative pop up that reads "SoftwareUpdateNotificationManager is trying to install Apple software," so there is still a requisite user interaction.

Does anyone know what this is and how to pre-approve/skip/suppress this? It's driving me crazy!


I've just started running into this same issue. Did you ever come up with a way to pre-approve this message?


Just wanting to add a "we're also having this issue" note to this as we have just moved from Catalina to Big Sur this year. 

Would love to see some JAMF input into this! 

I have created a 'feature request' to fix this. Feel free to give it a vote: https://ideas.jamf.com/ideas/JN-I-25777


Apple Security Updates Big Sur 11.6.3 and 11.6.4 are not downloading and the Scripts and Policies & Procedures & Mass Action are not working well for me since Jamf Pro Cloud 10.35 updated.

  • Files and processes: softwareupdate -iaR --force (the Policy is just hanging not even working
  • Scripts essentially running this command: /usr/sbin/softwareupdate --install --all --include-config-data --restart --force (the Policy is just hanging not even working)

In the past these scripts worked and downloaded which I ran overnight. Then when I came in I had to log int Start the Update but the long tedius part downloading was completed. Now the System Preferences just hang. I have to go to Terminal and run: sudo /bin/launchctl kickstart -k system/com.apple.softwareupdated and then go back into System Preferences and run manually sometimes the updates are there and most times not.


I've just started running into this same issue. Did you ever come up with a way to pre-approve this message?


I did not. I've been so backed up with other issues, I've put this one on the back burner. I keep hoping beyond hope that each updated to either MacOS or JAMF will resolve this for me.

No such luck, yet.


I did not. I've been so backed up with other issues, I've put this one on the back burner. I keep hoping beyond hope that each updated to either MacOS or JAMF will resolve this for me.

No such luck, yet.


I've finally found time to get back to this. I am currently testing the following command:

curl -X POST -sku ${apiUsername}:${apiPassword} ${jssURL}JSSResource/computercommands/command/ScheduleOSUpdate/action/installASAP/id/${ComputerID}

 

Which delivers this prompt:

 So, in short, this is not really an "unattended" solution.


Reply